Lecture 7: Data Security and Copyright (38 slides)

Lecturer:

Prof. Anatoly Sachenko

Information Technology

2

Lecture Overview

Information Security Password Policy

Computer Viruses Protection

Copyright and the Law

3

Information Security – Definitions

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

Governments, military, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status

Should confidential information about a businesses customers or finances or new product line fall into the hands of a competitor, such a breach of security could lead to lost business, law suits or even bankruptcy of the business

4

Information Security – Proactive Policy A proactive information security policy anticipates problems and

attempts to guard against future problems, as opposed to discovering a problem and then trying to deal with the

problem 'on the fly‘ In any organisation there should be clearly defined policies for

the detection of security problems, and what to do if a problem is noticed

Security problems may range from the physical presence of unauthorised persons in an office, through

to suspicion of attempted unauthorised electronic entry to your computer networks

In all cases you should know whom to contact, and how to contact the relevant person, so that the matter can

be investigated further

5

Information Security (continued)

If you are reporting a security problem you should do so without delay, to the relevant person within your organisation

If you are responsible for dealing with reports of security incidents

you should always take action immediately, and follow the correct procedure within your

organisation for investigating any problems

If you are working for a large organisation you have both rights and obligations to the organisation

For instance does an employer have the right to video film and record employees without their permission?

Can an employer read all email sent and received by employees?

Can an employer monitor what Internet sites an employee is accessing?

6

Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset)

A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset

A threat is anything (man made or act of nature) that has the potential to cause harm

Identification is an assertion of who someone is or what something is

Authentication is the act of verifying a claim of identity

Information Security (continued)

7

After a person, program or computer has successfully been identified and authenticated then

it must be determined what informational resources they are permitted to access and

what actions they will be allowed to perform (run, view, create, delete, or change)

this is called authorization Information security uses cryptography to transform

usable information into a form that renders it unusable by anyone other than an authorized user

This process is called encryption

Information Security - Authorization

8

Information that has been encrypted (rendered unusable) can be transformed back into its original usable form by an authorized user, who possesses the cryptographic key, through the process of decryption

Cryptography is used in information security to protect information from unauthorized or accidental discloser

while the information is in transit (either electronically or physically), and while information is in storage

Cryptography provides information security with other useful applications as well including:

improved authentication methods message digests digital signatures non-repudiation, and encrypted network communications

Information Security – Authorization (cont-d)

9

Public key encryption is a refined and practical way of

doing encryption. It allows for example anyone to

write a message for a list of recipients, and only those

recipients will be able to read that message

Intrusion-detection systems can scan a network for

people that are on the network but who should not be

there or are doing things that they should not be

doing, for example trying a lot of passwords to gain

access to the network

Information Security (continued)

10

Firewalls are systems which help protect computers and computer networks from attack and subsequent intrusion by restricting the network traffic which can pass through them, based on a set of system administrator defined rules

Access authorization restricts access to a computer to group of users through the use of authentication systems

These systems can protect either the whole computer - such as through an interactive logon screen - or individual services, such as an FTP server

There are many methods for identifying and authenticating users, such as passwords, identification cards, and, more recently, smart cards and biometric systems

Information Security (continued)

11

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information

Social engineering awareness – It is need to keep employees aware of the dangers of social engineering and/or having a policy in place to prevent social engineering can reduce successful breaches of the network and servers

Information Security (continued)

12

Information Security – User ID & Password & Access Rights

A User ID is normally used to logon to a computer, or computer network

It uniquely identifies you to the network. In addition you use a password which is only known to you The password guarantees that no one can access the network

and impersonate you (in theory) Once you have logged on (i.e. connected) to the rest of your

computer network you will have been assigned access rights to the network

Your network administrator will have defined these access rights

The idea of access rights is that you only have the ability to: connect to or share

devices which you have authority to use

13

Information Security – Access Rights & Password

In other words, the network administrators often have access rights to just about every computer, printer, modem etc on the network

You on the other hand may have access rights to print to only certain, specified printers, and you may be able to access only certain data

held on the networkA password is a form of secret authentication data that

is used to control access to a resource The password is kept secret from those not

allowed access, and those wishing to gain access are tested on

whether or not they know the password, and are granted or denied access accordingly

14

A password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly

A password policy is often part of an organization's official regulations and may be taught as part of security awareness training

Password formation. Some policies suggest or impose requirements on what type of password a user can choose, such as: The use of both upper- and lower-case letters (case

sensitivity) Inclusion of one or more numerical digits

(continued on the next slide)

Information Security – Password Policy

15

Inclusion of special characters Prohibition of words found in a dictionary or

crackers list Prohibition of passwords that are:

valid calendar dates or license plate numbers

Password duration - some policies require users to change passwords periodically, e.g. every 90 or 180 days

Ideally a password should be at least 8 characters long & contain a mixture of words and numbers

It is also recommended that you change your password regularly

Information Security - Password Policy (continued)

16

Good password practice. Password policies often include advice on proper password management such as: Never sharing a computer account Never using the same password for more than one

account Never telling a password to anyone, including

people who claim to be from customer service or security

Never writing down a password Never communicating a password by telephone, e-

mail or instant messaging Being careful to log off before leaving a computer

unattended Changing passwords whenever there is suspicion

they may have been compromised

Information Security - Password Policy (continued)

17

A smart card, chip card, or integrated circuit card (ICC), is defined as any pocket-sized card with embedded integrated circuits which can process information

The card is made of plasticThe card may embed a hologram to avoid

counterfeitingBiometric methods promise authentication based on

unalterable personal characteristics, but currently have high error rates and require additional hardware to scan, for example, fingerprints, irises

Information Security (continued)

18

Information Security – Backup

The most important thingwhich you store on your computer

is information Often the contents of a hard disk can

represent years of workIf the hard disk stops working one day

you could lose all those years of work For this reason it is

VITAL that you take regular backups of the information which is stored on the computer

19

Backups are a way of securing informationThey are another copy of all the important

computer files kept in another locationThese files are kept on hard disks, CD-Rs,

CD-RWs, and tapesSuggested locations for backups are:

fireproof, waterproof, and heat proof safe, or in a separate, offsite location where the

original files are containedSome individuals and companies also keep

their backups in safe deposit boxes inside bank vaults

Information Security – Backup (cont-d)

20

Information Security (continued)

What if your laptop is stolen? If there was no start-up password then all the data

on the computer could be at risk The same goes for important/sensitive documents;

if these were not individually password protected they could also be vulnerable

If you work within a large organisation, always report an incident of this type immediately to your technical support department

What if your mobile phone is stolen? Call your technical support department if working

for a large organisation If you work alone, then call the phone network

operator and report the phone as stolen

21

Computer Viruses

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user

The original virus may modify the copies, or the copies may modify themselves, as occurs in a

metamorphic virus A virus can only spread from one computer to another

when its host is taken to the uninfected computer for instance by a user sending it over a network or

the Internet, or by carrying it on a removable medium such as a

floppy disk, CD, or USB drive

22

Additionally, viruses can spread to other computers by infecting:

files on a network file system, or a file system that is accessed by another computer

Some viruses are programmed to damage the computer by damaging programs deleting files, or reformatting the hard disk

Others are not designed to do any damage, but simply replicate themselves, and

perhaps make their presence known by presenting text, video, or audio messages

Today's viruses may also take advantage of network services such as the World Wide Web, e-mail, and file sharing systems to spread, blurring the line between viruses and worms

Computer Viruses (continued)

23

A computer worm is a self-replicating computer programIt uses a network to send copies of itself to

other nodes (computer terminals on the network), and

it may do so without any user interventionUnlike a virus, it does not need to attach

itself to an existing programWorms almost always cause harm to the

network, if only by consuming bandwidth whereas viruses almost always corrupt or

modify files on a targeted computer

Computer Viruses - Computer Worm

24

Trojan horse, or simply trojan, is a piece of software which appears to perform a certain action, but in fact, performs another Contrary to popular belief, this action, usually encoded in a

hidden payload, may or may not be acutely malicious but Trojan horses are notorious today for

their use in the installation of backdoor programs

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication securing remote access to a computer obtaining access to plaintext, and so on while attempting to remain undetected

The backdoor may take the form of an installed program, or could be a modification to an existing program or hardware device

Computer Viruses – Trojan Horse

25

Unlike viruses, it does not propagate by self-replication but relies heavily on the exploitation of an end-user (see Social engineering above)

In the field of computer architecture, Trojan Horse can also refer to security loopholes that allow kernel code to access anything for which it is not authorized

A simple example of a Trojan horse would be a program named "waterfalls.scr" which claimed to be a free waterfall screensaver When run, it would instead open computer

ports and allow hackers to access the user's computer remotely

Computer Viruses – Trojan Horse (continued)

26

Erasing or overwriting data on a computer Upload and download files Spreading other malware, such as viruses: this type of Trojan

horse is called a 'dropper' or 'vector‘ Setting up networks of zombie computers in order to launch

DDoS attacks or send spam Spying on the user of a computer and covertly reporting data

like browsing habits to other people Logging keystrokes to steal information such as passwords

and credit card numbers Installing a backdoor on a computer system Deactivating or interfering with anti-virus and firewall

programs

Trojan Horse – Damage Examples

27

The majority of Trojan horse infections occur because the user was tricked into running an infected program This is why it is advised to not open unexpected attachments

on emailsthe program is often a cute animation or

an image but behind the scenes it infects the computer with a

Trojan or worm The infected program doesn't have to arrive via email

it can be sent in an Instant Message, downloaded from a Web site or by FTP, or

even delivered on a CD or floppy disk Furthermore, an infected program could come from someone

who sits down at a computer and loads it manually

Computer Viruses (cont-d)

28

Computer Viruses - Backdoor

A backdoor in a computer system, or cryptosystem, oralgorithm

is a method of bypassing normal authentication, securing remote access to a computer obtaining access to plaintext, and so on

while attempting to remain undetectedThe backdoor may take the form of

an installed program, or could be a modification to an existing program

or hardware device

29

Computer Viruses (continued)

30

Computer Viruses - Protection

The safest way to use a computer is to not connect it to a Local Area network or the Internet This is called a 'stand-alone' computer

providing that you do not use floppy disks on that PC which have been used in other computers this type of computer is virtually immune from any

form of intrusion Unfortunately it is the ability to connect to other computers or

indeed the Internet which makes the modern computer so versatile and so

useful Always make sure that all computers require an ID and

password to access them Make sure that all relevant 'security patches' from Microsoft

have been applied

31

Computer Viruses – Protection (cont-d) If you discover a virus on your computer don’t panic If your virus checker alerts you to a virus

then the chances are that it has caught the virus before the virus could infect your computer and cause damage

For instance you may insert a diskette into your computer and the virus checker should automatically scan the diskette

If the diskette contains a virus, a message will be displayed telling you that the diskette is infected, and it should automatically remove the virus

The other common method of infection is via emails If you work within a larger company, you

should have a company IT support group which will come and rid your computer of viruses

Be sure that you are familiar with your company’s policy regarding viruses

32

Computer Viruses – Protection (cont-d)

Anti virus software can only detect viruses (or types of viruses) which the software knows about

As such it is vital that you keep your anti virus software up to date so

that it can detect new viruses which are constantly appearing

Running a virus checker on a machine which contains a virus is known as disinfecting the PC, as the virus program will detect, and then eliminate the virus

Make sure that your virus checker is configured so that as well as scanning your computer for viruses when you first switch on your PC

It remains active in the computer’s background memory, constantly looking for signs of virus attack

This is very important when connecting to the Internet

33

Computer Viruses – Protection (cont-d)

Be very cautious about opening unsolicited emails, especially if they contain file attachments

A good anti-virus program should detect most threats from virus-infected emails

Any file which you download from the Internet may in theory contain a virus

Be especially careful about downloading program files (files with a file name extension of .COM or .EXE)

Microsoft Word or Excel files can contain macro viruses

Basically trust no one when it comes to downloading filesDo not connect to the Internet unless you have a good

anti-virus program installed on your computer

34

Copyright - Software License

A software license comprises the permissions, rights and restrictions

imposed on software whether a component or a free-standing program

Use of software without a license could constitute infringement of the owner's exclusive rights under copyright, or

occasionally, patent law and allow the owner to sue the infringer

Software license agreement is a memorandum of contract between a producer and a user of computer software which grants the user a software license

35

Copyright - License Agreement

Software license agreement indicates the terms under which an end-user may

utilize the licensed software, and in which case the agreement is called an

end-user license agreement or EULAA free software license grants

the right to modify, and redistribute the licensed software

both of which would ordinarily be forbidden by copyright

law

36

Copyright - License Agreement (cont-d)Shareware software is software that can be obtained by a

user, often by downloading from the Internet or on magazine cover-disks free of charge to try out a program before you buy the full version of that program. If the "tryout" program is already the full

version, it is available for a short amount of time, or it does not have updates, help, and other extras that buying the added programs has

Shareware has also been known as "try before you buy“

A shareware program is accompanied by a request for payment, and the software's distribution license often requires such a payment

37

Data protection legislation The most important piece of legislation in the area is the

European Data Protection Directive 1995 that has been implemented in all European Union (EU)

member states and with which companies have to comply in order not to misuse personal data

The directive deals with the protection of individuals with regard to the processing of personal data and on the free movement of such data

Objective of the directive: data-processing systems are designed to serve man whereas they must, whatever the nationality or residence of

natural persons respect their fundamental rights and freedoms notably the right to privacy, and contribute to economic and social progress, trade expansion

and the well-being of individuals

38

References

European Computer Driven Licence, Syllabus version 4.0, 2006.

http://www.roz6.polsl.pl/asachenko/sutaa.html

J. Glenn Brookshear. Computer science an overview, Sixth edition, Addison Wesley, 2001, 688 p.

Brookshear J.G.: Informatyka w ogólnym zarysie, Wydawnictwo WNT, Warszawa 2003.